opensecret 0.0.2 → 0.0.4

data/lib/opensecret/factbase/published.facts/credential-facts.ini

@@ -0,0 +1,40 @@
+
+# --
+# -- If a plugin requires AWS IAM user credentials you must
+# -- define the directory the credentials are in within the
+# -- [plugin+platform] fact file.
+# --
+# -- A credentials INI factfile is expected to exist within
+# -- that directory with the name
+# --
+# --    => [:eco][id] + ".aws.credentials.ini"
+# --    => ci.hub.aws.credentials.ini [(if id is ci.hub)]
+# --
+# -- To specify AWS IAM credentials for a plugin, you
+# --
+# --   [1] specify [:aws][:keys_folder] in [plugin+platform]
+# --   [2] put <<eco.id>>.aws.credentials.ini inside folder
+# --
+# -- The format of the credentials file for a plugin ID of
+# -- (ci.hub) named [ci.hub.aws.credentials.ini] would be
+# --
+# --  [ci.hub]
+# --  aws.access.key  =  AKIA12345
+# --  aws.secret.key  =  abc123secret
+# --  aws.region.key  =  us-east-2
+# --
+# -- ----------------------------
+# -- AWS Credentials | Summary
+# -- ----------------------------
+# --
+# -- [One] plugin running on [a] workstation or inside [a]
+# -- container can only use [one] set of IAM user credentials
+# -- located in [an] accessible folder (on a removable drive).
+# --
+
+[aws]
+creds.name      =  e>> @f[:eco][:id] + Do.t + "aws.credentials.ini"
+dir.exists?     =  e>> !@f[@i[:workstation]][:aws_creds_dir].nil?
+creds.path(if)  =  { @s[:dir_exists?] } e>> File.join @f[@i[:workstation]][:aws_creds_dir], @s[:creds_name]
+creds.exist?    =  e>> exists?(@s[:creds_path]) && File.exists?(@s[:creds_path])
+

data/lib/opensecret/factbase/published.facts/infrastructure-facts.ini

@@ -0,0 +1,63 @@
+
+[terraform]
+aws.instance.id =  e>> "ec2-" + @f[:stamp][:mini_2]
+aws.sgroup.id   =  e>> "acl-" + @f[:stamp][:mini_2]
+route53.dns.id  =  e>> "dns-" + @f[:stamp][:mini_2]
+route53.www.id  =  e>> "www-" + @f[:stamp][:mini_2]
+route53.ssl.id  =  e>> "ssl-" + @f[:stamp][:mini_2]
+resource.group  =  e>> @f[:stamp][:midi]
+
+ec2.acl.name    =  e>> "acl." + @f[:stamp][:midi]
+ec2.tag.name    =  e>> "ec2." + @f[:stamp][:midi]
+ebs.tag.name    =  e>> "ebs." + @f[:stamp][:midi]
+ec2.acl.desc    =  e>> "Rules (acl) for the " + @f[:stamp][:midi] + " tcp/ip traffic."
+
+username        =  ubuntu
+keypair.name    =  e>> "keypair." + @f[:stamp][:midi]
+private.key     =  e>> File.join @f[:runtime][:dir], ( @s[:keypair_name] + ".pem" )
+
+aws.exe.win     =  windows_amd64/terraform-provider-aws_v1.7.0_x4.exe
+aws.exe.linux   =  linux_amd64/terraform-provider-aws_v1.6.0_x4
+
+exe.filename(if)=  { Gem.win_platform? } e>> @s[:aws_exe_win]
+exe.filename(un)=  { Gem.win_platform? } e>> @s[:aws_exe_linux]
+exe.source.dir  =  e>> File.join @f[:runtime][:dir], ".terraform/plugins"
+
+ec2.host        =  e>> LinuxHost.ec2_using_terraform( \
+                               @s[:username],         \
+                               @s[:private_key],      \
+                               @f[:runtime][:dir],    \
+                               @s[:keypair_name],     \
+                               @s[:exe_filename],     \
+                               @s[:exe_source_dir],   \
+                               @f[:runtime][:archive] \
+                       )
+
+
+[domain]
+has.domain?     =  e>> exists?( @p[:root_domain] )
+root(if)        =  { @s[:has_domain?] } e>> @p[:root_domain]
+www(if)         =  { @s[:has_domain?] } e>> "www" + dot + @s[:root]
+https(if)       =  { @s[:has_domain?] } e>> "https://"  + @s[:www]
+http(if)        =  { @s[:has_domain?] } e>> "http://"   + @s[:www]
+
+
+[machine]
+suffix          =  host
+name.known?     =  e>> exists?(@f[@i[:workstation]][plugin_symbol(@s[:suffix])])
+
+fact.name(if)   =  { @s[:name_known?] } e>> @f[@i[:workstation]][plugin_symbol(@s[:suffix])]
+key.name(if)    =  { @s[:name_known?] } e>> @s[:fact_name] + ".ssh.key.pem"
+ssh.key(if)     =  { @s[:name_known?] } e>> File.join @f[@i[:workstation]][:ssh_keydir], @s[:key_name]
+user.name(if)   =  { @s[:name_known?] } e>> @f[symbol(@s[:fact_name])][:username]
+host.name(if)   =  { @s[:name_known?] } e>> @f[symbol(@s[:fact_name])][:hostnames].first
+net.bridge(if)  =  { @s[:name_known?] } e>> @f[symbol(@s[:fact_name])][:net_bridge]
+
+host.class(if)  =  { @s[:name_known?] } e>> LinuxHost.existing_host( \
+                            @s[:host_name], \
+			    @s[:user_name], \
+			    @s[:ssh_key],   \
+			    @s[:net_bridge] \
+                            )
+
+host.class(un)  =  { @s[:name_known?] } e>> @f[:terraform][:ec2_host]

data/lib/opensecret/factbase/readme.md

@@ -0,0 +1,24 @@
+
+# Fact File Read Order
+
+Fact files are assimilated in a simple yet powerful manner.
+
+## Assimilation Order
+
+The fact files are assimilated in this order
+
+ - first the **core fact files** in the **reusable.facts** folder
+ - next is the **plugin's fact file** eg ***gitlab.dev.ini*** in reusable.plugins/gitlab.dev
+ - then every fact file in the **reusable.facts/general** directory and subdirectories
+ - then it is all the fact files declared for **import via HTTP, SCP, SFTP and Rest APIs**
+ - then from **git repositories, key-value stores** (etcd, redis) and **(nosql) databases**
+ - finally, **credential fact files on removable media**, in vaults and key pass structures
+
+## Indexing for Large Fact Repositories
+
+Once the third reusable.facts/general store becomes **large** we could devise methods of
+
+ - **indexing** all the **long-lived facts** as and when they are produced
+ - **mining fact dependencies** from plugin software, fact files and templates
+ - then **importing** just the needful set of facts (and their dependencies)
+

data/lib/opensecret/factbase/retired.facts/maven.database.ide.facts.ini

@@ -0,0 +1,127 @@
+[database]
+name            =  app_datastore
+admin.username  =  e>> "admin.usr." + Stamp.yyjjj_hhmm_sst
+admin.password  =  e>> Secrets.derive_alphanum
+app.username    =  e>> "app.usr." + Stamp.yyjjj_hhmm_sst
+app.password    =  e>> Secrets.derive_alphanum
+
+content.url     =  https://www.eco-platform.co.uk/content/database.git/
+content.name    =  e>> "db.content." + Stamp.yyjjj_hhmm_sst
+content.zip     =  e>> @f[:database][:content_name] + ".zip"
+content.files   =  e>> GitFlow.file_names @f[:database][:content_url]
+content.path    =  /var/lib/mongodb/content.library
+
+import.stmts    =  e>> MongoFlow.to_inport_stmts(     \
+                          @f[:database][:content_files], \
+		          @f[:database][:content_path],  \
+		          @f[:database][:database_name], \
+		          @f[:database][:app_username],  \
+		          @f[:database][:app_password]   \
+		          )
+
+
+[rest]
+docs.url        =  https://www.eco-platform.co.uk/content/rest.documents.git/
+docs.offset     =  application.objects/
+zip.basename    =  e>> @f[:s3][:upload_prefix] + "application.objects"
+zip.filename    =  e>> @f[:rest][:zip_basename] + ".zip"
+
+
+[ide]
+idea.iml.dir    =  e>> File.join @f[:runtime][:dir], "idea_modules"
+conf.repo.url   =  https://www.eco-platform.co.uk/content/intellij.conf.git/
+conf.base.dir   =  e>> File.join @f[:runtime][:dir], "ide_config"
+conf.dir.name   =  apollo.laundry4j
+conf.home.dir   =  e>> File.join @f[:ide][:conf_base_dir], @f[:ide][:conf_dir_name]
+
+idea.prop.src   =  e>> File.join @f[:runtime][:dir], "asset.idea.properties"
+idea.prop.dir   =  C:/Program Files (x86)/JetBrains/IntelliJ IDEA Community Edition 14.0.2/bin
+idea.prop.dst   =  e>> File.join @f[:ide][:idea_prop_dir], "idea.properties"
+
+options.base.dir  = e>> File.join @f[:runtime][:dir], "ide_config/apollo.laundry4j/options"
+default.xml.file  = project.default.xml
+default.xml.path  = e>> File.join @f[:ide][:options_base_dir], @f[:ide][:default_xml_file]
+
+
+[maven]
+jar.projects    = e>> %w[                                                              \
+	                    https://www.eco-platform.co.uk/commons/laundry4j.facility  \
+                            https://www.eco-platform.co.uk/commons/laundry4j.mappable  \
+		      	    https://www.eco-platform.co.uk/commons/laundry4j.mappers   \
+		            https://www.eco-platform.co.uk/commons/laundry4j.clusters  \
+		      	    https://www.eco-platform.co.uk/football/footb4ll.net       \
+		            https://www.eco-platform.co.uk/commons/laundry4j.explorer  \
+			   ]
+
+
+install.dir     =  C:/Program Files/apache-maven-3.3.9
+settings.xml    =  C:/Program Files/apache-maven-3.3.9/conf/settings.xml
+version.dev     =  e>> Stamp.yyjjj_hhmm_sst + "-SNAPSHOT"
+version.push    =  e>> Stamp.yyjjj_hhmm_sst
+
+builds.dir      =  e>> File.join @f[:runtime][:dir], "maven_builds"
+amalgam.dir     =  e>> File.join @f[:runtime][:dir], "maven_projects"
+javadocs.dir    =  e>> File.join @f[:runtime][:dir], "maven_javadocs"
+apidocs.dir     =  e>> File.join @f[:maven][:javadocs_dir], "site/apidocs"
+pom.xml.src     =  e>> File.join @f[:runtime][:dir], "asset.amalgam.pom.xml"
+pom.xml.dst     =  e>> File.join @f[:maven][:amalgam_dir], "pom.xml"
+
+css.file.src    =  e>> File.join @f[:runtime][:dir], "asset.stylesheet.css"
+css.file.dst    =  e>> File.join @f[:maven][:apidocs_dir], "stylesheet.css"
+
+index.html.src  =  e>> File.join @f[:maven][:apidocs_dir], "overview-summary.html"
+index.html.dst  =  e>> File.join @f[:maven][:apidocs_dir], "index.html"
+
+cmd.prefix      =  e>> "mvn -f " + @f[:maven][:pom_xml_dst] + " clean "
+cmd.javadocs    =  e>> @f[:maven][:cmd_prefix] + "javadoc:aggregate source:aggregate"
+
+war.project     =  https://www.eco-platform.co.uk/commons/laundry4j.web
+war.module      =  e>> Pom.get_module_name @f[:maven][:war_project]
+projects        =  e>> @f[:maven][:jar_projects].push @f[:maven][:war_project]
+war.prj.dir     =  e>> File.join @f[:maven][:amalgam_dir], @f[:maven][:war_module]
+war.pom.xml     =  e>> File.join @f[:maven][:war_prj_dir], "pom.xml"
+war.run.cmd     =  e>> "mvn  -f " + @f[:maven][:war_pom_xml] + " cargo:run -P tomcat8x"
+
+module.names    =  e>> Pom.get_module_names @f[:maven][:projects]
+module.lines    =  e>> Refactor.sandwich_lines @f[:maven][:module_names], "<module>", "</module>", 16
+
+no1.prj.dir     =  e>> File.join @f[:maven][:amalgam_dir], @f[:maven][:module_names].first
+no1.pom.xml     =  e>> File.join @f[:maven][:no1_prj_dir], "pom.xml"
+version.cmd     =  e>> "mvn -f " + @f[:maven][:no1_pom_xml] + " versions:set -DgroupId=com.* -DartifactId=* -DnewVersion=" + @f[:maven][:version_dev] + " -DgenerateBackupPoms=false"
+
+
+############ mvn -f facility/pom.xml versions:set -DgroupId=com.* -DartifactId=* -DnewVersion=77.77.00-SNAPSHOT
+###### http://localhost:8899/explorer-17.263.1858-SNAPSHOT
+
+# --
+# -- Create ruby/maven commands that act on one or more projects
+# -- Command examples
+# --   - system "mvn -f maven_projects/customer/pom.xml clean install"
+# --
+install.opts = clean install
+install.cmd = e>> "mvn -f " + @f[:maven][:pom_xml_dst] + " clean install"
+
+## cmd.prefix   = e>> "system " + Ch.dq + "mvn -f maven_projects/"
+## cmd.postfix  = /pom.xml
+
+
+[git]
+base.url        =  https://www.eco-platform.co.uk
+local.dir       =  e>> File.dirname Dir.pwd
+dot.git.dir     =  e>> File.join @f[:git][:local_dir], ".git"
+revision        =  e>> GitFlow.wc_revision @f[:git][:dot_git_dir]
+ssh.keyfile     =  e>> File.join Home.dir, "com.laundry4j.drive/library.ssh.access.keys/gitlab.laundry4j.private.key.pem"
+
+[git.content]
+url             =  e>> File.join @f[:git][:base_url], "content"
+
+
+[git.commons]
+url             =  e>> File.join @f[:git][:base_url], "commons"
+eco.proj.name   =  eco-platform
+eco.repo.name   =  e>> @s[:eco_proj_name] + ".git"
+eco.repo.url    =  e>> File.join @s[:url], @s[:eco_repo_name]
+
+
+
+

data/lib/opensecret/factbase/retired.facts/s3-upload-block-facts.ini

@@ -0,0 +1,17 @@
+# --- --------------------------------------------------------------------- --- #
+# --- This fact (INI) file database carries facts for the s3 upload block.  --- #
+# --- --------------------------------------------------------------------- --- #
+# --- [DEPENDENCY] => @f[:upload][:src_file_name]                          --- #
+# ---              => This dependency must be set before fact evaluation.   --- #
+# --- --------------------------------------------------------------------- --- #
+
+[upload]
+src.file.path = e>> File.join @f[:runtime][:dir], @f[:upload][:src_file_name]
+dot.full.extn = e>> File.extname @f[:upload][:src_file_path]
+src.base.name = e>> File.basename @f[:upload][:src_file_name], @f[:upload][:dot_full_extn]
+prefix.less.name = e>> @f[:upload][:src_base_name][ @f[:s3][:upload_prefix].length .. -1 ]
+app.props.base = e>> @f[:upload][:prefix_less_name] + @f[:upload][:dot_full_extn]
+app.props.key = e>> (@f[:upload][:app_props_base] + Ch.p + "url").gsub(".","_").to_sym
+dst.file.base = e>> @f[:upload][:prefix_less_name] + Ch.p + @f[:stamp][:midi]
+dst.file.name = e>> @f[:upload][:dst_file_base] + @f[:upload][:dot_full_extn]
+dst.file.path = e>> File.join @f[:s3][:uploads_dir], @f[:upload][:dst_file_name]

data/lib/opensecret/plugins.io/cipher/crypto.rb

@@ -0,0 +1,174 @@
+#!/usr/bin/ruby
+
+# --
+# -- Create dynamic secrets of various flavours including 
+# --
+# --   - ssh public/private key secrets
+# --   - secret keys for internal database services
+# --   - hashed SHA256 keys for Jenkins user auth
+# --
+class Crypto
+
+  # --
+  # -- Get a viable machine password taking into account the human
+  # -- password length and the specified mix_ratio.
+  # --
+  # -- machine password length = human password length * mix_ratio - 1
+  # --
+  def self.get_amalgam_password human_password, machine_password, mix_ratio
+
+    size_error_msg = "Human pass length times mix_ratio must equal machine pass length."
+    lengths_are_perfect = human_password.length * mix_ratio == machine_password.length
+    raise ArgumentError.new size_error_msg unless lengths_are_perfect
+
+    machine_passwd_chunk = 0
+    amalgam_passwd_index = 0
+    amalgamated_password = ""
+
+    human_password.each_char do |passwd_char|
+
+      amalgamated_password[amalgam_passwd_index] = passwd_char
+      amalgam_passwd_index += 1
+
+      for i in 0..(mix_ratio-1) do
+        machine_pass_index = machine_passwd_chunk * mix_ratio + i
+        amalgamated_password[amalgam_passwd_index] = machine_password[machine_pass_index]
+        amalgam_passwd_index += 1
+      end
+
+      machine_passwd_chunk += 1
+
+    end
+
+    return amalgamated_password
+
+  end
+
+  # --
+  # -- Get a viable machine password taking into account the human
+  # -- password length and the specified mix_ratio.
+  # --
+  # -- machine password length = human password length * mix_ratio - 1
+  # --
+  def self.get_machine_password human_password_length, mix_ratio
+
+    machine_raw_secret = engineer_password( human_password_length * ( mix_ratio + 1) )
+    return machine_raw_secret[ 0..( human_password_length * mix_ratio - 1 ) ]
+
+  end
+
+
+  # --
+  # -- Collect a password from the user with a minimum length
+  # -- specified in the parameter.
+  # --
+  # -- An exception is raised if the minimum length is not at
+  # -- least 8 characters.
+  # --
+  def self.collect_secret minimum_size, prompt_1, prompt_2
+
+    assert_min_size minimum_size
+
+    sleep(1)
+    puts "\n#{prompt_1} : "
+    first_secret = STDIN.noecho(&:gets).chomp
+
+    assert_input_text_size first_secret.length, minimum_size
+
+    sleep(1)
+    puts "\n#{prompt_2} : "
+    check_secret = STDIN.noecho(&:gets).chomp
+
+    assert_same_size_text first_secret, check_secret
+    
+    return first_secret
+
+  end
+
+
+  # --
+  # -- Engineer a raw password that is similar (approximate) in
+  # -- length to the integer parameter.
+  # --
+  def self.engineer_password approx_length
+
+    non_alphanum = SecureRandom.urlsafe_base64(approx_length);
+    return non_alphanum.delete("-_")
+
+  end
+
+
+  # --
+  # -- Raise an exception if asked to collect text that is less
+  # -- than 3 characters in length.
+  # --
+  def self.assert_min_size minimum_size
+
+    min_length_msg = "\n\nCrypts with 2 (or less) characters open up exploitable holes.\n\n"
+    raise ArgumentError.new min_length_msg if minimum_size < 3
+
+  end
+
+
+  # --
+  # -- Output an error message and then exit if the entered input
+  # -- text size does not meet the minimum requirements.
+  # --
+  def self.assert_input_text_size input_size, minimum_size
+
+    if( input_size < minimum_size  )
+
+      puts
+      puts "Input is too short. Please enter at least #{minimum_size} characters."
+      puts
+
+      exit
+
+    end
+
+  end
+
+
+  # --
+  # -- Assert that the text entered the second time is exactly (case sensitive)
+  # -- the same as the text entered the first time.
+  # --
+  def self.assert_same_size_text first_text, second_text
+    
+    unless( first_text.eql? second_text )
+
+      puts
+      puts "Those two bits of text are not the same (in my book)!"
+      puts
+
+      exit
+
+    end
+
+  end
+
+
+  # --
+  # -- Print out the machine password that is to be kept as an environment variable
+  # -- on any workstation used for material decryption.
+  # --
+  # -- Remember that neither the human nor machine passwords are required for the
+  # -- encryption phase. That is the beauty of assymetric cryptography - you don't
+  # -- need a private key to encrypt - just the end user's public key.
+  # --
+  def self.print_secret_env_var env_var_name, env_var_value
+
+    machine_to_env_txt = "sudo echo \"#{env_var_name}=#{env_var_value}\" >> /etc/environment"
+
+    puts
+    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+    puts "@@@ Add as environment variable @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+    puts machine_to_env_txt
+    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+    puts
+
+  end
+
+
+end